Aug 30, 2023 | Internet Security News, Web Filtering
A watering hole attack, as the name suggests, is a cyberattack involving a place that is frequently visited. A threat actor uses a website that is often visited by the targeted business or individual and malware is loaded to that site and will be inadvertently downloaded or executed when a user lands on the site. The website is usually compromised by exploiting an unpatched vulnerability or by obtaining website administrator credentials.
These attacks are often conducted by Advanced Persistent Threat (APT) actors in cyber espionage campaigns and one such campaign has recently been detected that has been attributed to the Chinese APT group tracked as TA423 which delivers the JavaScript-based reconnaissance tool, ScanBox. The campaign targets offshore energy firms that operate in the South China Sea.
While watering hole attacks often see malware written to disk, this campaign is different as ScanBox is executed in the web browser and requires no malware to be downloaded. Once executed, ScanBox logs keystrokes and records all activity on the infected website, including any passwords that are entered. As is often the case with these watering hole attacks, the user is directed to the website via a phishing email. In this campaign targeted individuals receive messages requesting collaboration that appear to have been sent by an Australian media organization – the fictional Australian Morning News. The website to which the user is directed includes news content that has been scraped from legitimate news outlets and landing on the site will see the user served with the ScanBox framework, which is used for reconnaissance and browser fingerprinting.
In addition to collecting information about the browser, operating system, extensions, and plugins, that attack sets up interactive connectivity establishment (ICE) communications with STUN servers, allowing communication with victim devices without having to go through network address translator (NAT) gateways and firewalls.
Watering hole attacks have been conducted by a range of different APT groups and these attacks have been the initial access vector of choice for Iranian threat actors for several years. Earlier this year, a campaign was detected that targeted Israeli websites and attempted to collect data from logistics companies involved with shipping and healthcare, and attempted to deliver malware that provided persistent access to victim devices.
Watering hole attacks can also be conducted by cybercriminal groups for distributing malware and one such campaign was recently detected that targets law firms with the goal of delivering Gootloader malware, a first-stage malware loader that can be used for delivering a variety of malware payloads. Rather than using phishing emails to drive traffic to a malicious site, compromised WordPress websites were used. Once access to the websites was gained, the threat actors used search engine optimization (SEO) techniques targeting specific search terms that are likely to be used by law firms. The SEO techniques used ensured that the malicious websites appeared high in the search engine listings for searches for legal information online, especially legal contact templates.
Defending against watering hole attacks requires a defense in-depth strategy that includes end-user security awareness training, web filtering to block access to known malicious websites, endpoint detection software, and spam filters. TitanHQ can help by providing several of these layers, including the SafeTitan security awareness training and phishing simulation platform, the WebTitan DNS-based web filter, and SpamTitan email security.
For more information, give the TitanHQ team a call. Product demonstrations can be arranged on request, and all TitanHQ cybersecurity solutions are available on a no-obligation, 100% free trial.
Jul 31, 2023 | Cybersecurity Advice
Cybercriminals use a variety of tactics, techniques, and procedures for distributing malware, and while email is one of the most common attack vectors, web-based malware attacks are becoming more common. In this article, we explore some of the ways that traffic is driven to malicious websites hosting malware and suggest ways that businesses can protect themselves against these attacks.
SEO Poisoning
SEO poisoning is the term given to the manipulation of search engine results to get malicious websites to appear high in the search engines for specific search terms, often those likely to be used by business users. Cybercriminals create a website/web page or compromise an existing website and create a page with malicious content. Cybercriminals often choose a domain name/page URL that is very similar to a brand that is being spoofed. Black hat search engine optimization techniques are used to trick search engines into ranking the page highly for a specific search term or set of search terms. Common techniques include keyword stuffing – adding many relevant keywords to the HTML and text; backlinking campaigns – adding many backlinks to a website from other websites such as via private link networks; cloaking – displaying different content to search engine crawlers than genuine visitors; and artificially increasing click through rates. These techniques may be used for promoting phishing and other scams, but they are most commonly used for malware distribution. A visitor to the site will be offered a download related to their search term or they otherwise be prompted to download a file that will silently install malware and give the attacker access to their device.
Search Engine Ad Abuse / Malvertising
It is easy to create a malicious website for malware distribution, but traffic needs to be driven to that website. Phishing emails are commonly used, but email filters are getting much better at detecting malicious hyperlinks. Instead, cybercriminals can drive traffic to malicious content via Google Ads and other search engine ad platforms or by adding malicious adverts to third-party ad blocks on legitimate websites. Many websites display these adverts as a way of generating additional revenue. While there are control mechanisms in place to prevent malicious adverts from being added to Google and Bing Ads and third-party ad networks, cybercriminals can get around these controls for long enough to drive considerable volumes of traffic to their malicious web pages. This technique is often referred to as malvertising (malicious advertising). Since these adverts appear above the search engine results or are otherwise displayed in a prominent position, they attract a lot of clicks. As with SEO poisoning, the web pages trick users into downloading a malicious file that installs malware.
Torrents and Warez Sites
SEO poisoning and malvertising usually require some user action to install malware. The user must be tricked into downloading and opening a file. One of the easiest ways to do this is to offer something a user wants to download, and ideally, something that requires them to open an executable file. Cybercriminals often bundle malware into executable files used to install pirated software or the product activators/cracks that are needed to generate valid license codes. Torrent sites are used for peer-2-peer file sharing, and often for distributing pirated games, software, videos, and music, with software commonly offered on ‘warez’ sites. Oftentimes the content being sought is installed when the files are downloaded, but malware is silently side loaded during the installation process. The user gets the software, game, or app they want, and is unaware that malware has also been installed.
How to Protect Against Web-Based Malware Attacks
Assuming that you have an effective spam filter such as SpamTitan Plus for blocking malicious links in emails and antivirus software or other endpoint security solutions installed on each device, there are two main ways for protecting against malware attacks: security awareness training and web filtering.
Security Awareness Training
The importance of security awareness training cannot be overstated. If employees are not made aware of cyber threats and are not taught cybersecurity best practices, they cannot be expected to be able to identify and avoid threats and will likely engage in risky practices that could easily lead to a malware infection. Many employees mistakenly believe that they or their company will not be targeted; however, the reality is that businesses of all sizes are being attacked and employees are usually the easiest way to gain access to sensitive data and internal systems. Training needs to be an ongoing process, where knowledge is improved over time and employees are taught about the changing tactics used by cybercriminals to attack businesses. Training should be provided to all members of the workforce, including the CEO and C-suite and a good best practice is to provide an annual or bi-annual training session, with shorter training modules completed throughout the year. A few minutes each month completing training modules will help to ensure that employees are kept aware of the latest threats and it will help to keep cybersecurity fresh in the mind.
Web Filtering
All of the above techniques involve driving traffic to malicious websites. Training will help employees to recognize and avoid threats, but it is possible to prevent connections to malicious websites from being made with a web filter. A web filter is used to carefully control the web content that employees can access. Web filters typically have category-based filtering controls that can be used to block access to categories of web content that are illegal, undesirable, risky, or otherwise serve no work purpose.
Businesses can block access to torrents/warez sites by category, along with other risky sites. Web filters can be configured to block certain types of files from being downloaded from the internet, such as executable files. This will help to prevent malware delivery and shadow IT installations (software that has not been authorized by the IT department). Web filters are also updated with blacklists of known malicious websites and web pages. Any attempt to visit one of those resources will be blocked, and with a DNS-based web filter, the connection will be rejected without any content being downloaded.
How TitanHQ Can Help
Many thousands of businesses rely on TitanHQ cybersecurity solutions to protect against malware threats, phishing attacks, business email compromise scams, and other cyber threats. TitanHQ has developed the SpamTitan suite of email security products for blocking phishing, malware, and other email threats, the WebTitan DNS-based web filter for blocking Internet-based threats, and the SafeTitan security awareness training and phishing simulation platform for improving awareness of threats and teaching cybersecurity best practices. All TitanHQ solutions are intuitive, easy to implement, easy to maintain, and easy to use, and are available on a free trial to allow businesses to evaluate them in their own environment before deciding on a purchase. If you want to improve security, why not give the TitanHQ team a call for advice on the best solutions to meet your needs or sign up for a free trial of these solutions.
Jun 22, 2023 | Cybersecurity Advice, Internet Security News, Web Filtering
ChromeLoader is a family of malware that is extremely prevalent and persistent. The malware installs malicious browser extensions and removing them can be problematic as users are denied access to the Google Chrome extension list to prevent the removal of the malicious extensions if they are discovered. These malicious extensions are used to deliver unwanted ads, and redirect users to websites that they would otherwise not visit. At best, infection is a nuisance; however, the malware can increase the attack surface of a system and can easily lead to other malware being delivered.
ChromeLoader was first observed in January 2022 and infections are now extremely widespread. The malware is most commonly spread via sites that offer pirated software – torrents and warez sites – with the malware usually delivered through infected ISO image files. Several campaigns have been detected that advertise pirated software, games, and movies on social media networks, especially Twitter, with the posts/tweets including links to download sites. When the installation file is downloaded and installed, the user will likely get the software, operating system, or game they are expecting, but ChromeLoader and/or other malware will also be installed.
A new ChromeLoader distribution campaign has recently been detected by HP’s Wolf Security team. They report that the campaign has been active since at least March 2023 and delivers ChromeLoader, which installs a malicious adware browser extension called Shampoo. Shampoo will perform unwanted redirects to a variety of websites, including fake giveaways, games, and dating sites. These redirects can simply be annoying but can risk other malware infections. The malicious browser extension is also difficult to uninstall as the user will be prevented from accessing Chrome Extensions. If the user does manage to uninstall the adware, it will simply be reloaded when the device is rebooted via a Windows scheduled task. According to HP, this campaign uses a network of malicious websites that offer pirated material. The download sites deliver VBScripts that execute PowerShell scripts that fetch Shampoo and install the malicious Chrome extension. While this campaign only installs adware at present, tactics could change, and more damaging malware could be delivered.
While ChromeLoader could be distributed in multiple ways, the primary method of delivery is via pirated software, so the easiest step to take to prevent infection is never to download pirated material and to only install software/operating systems from official sources. Businesses should implement controls to prevent illegal software downloads. These downloads carry a high risk of installing malware and pirated software is also a legal risk. Businesses should also implement controls to prevent the use of shadow IT – IT solutions that are installed without the knowledge of the IT department, as they can introduce vulnerabilities that can be exploited by malicious actors.
The IT department should have a list of all versions of software and operating systems used by the company. When patches or updates are released, the IT department will need to ensure that the company is running the latest versions. If the IT department is unaware that employees have downloaded programs, vulnerabilities could easily go unaddressed. Employees may install additional software to make their jobs easier and improve productivity, but it introduces considerable security and legal risks.
How to Prevent ChromeLoader Infections
One way that businesses can control shadow IT and prevent ChromeLoader infections is to implement controls to use a web filter such as WebTitan Cloud. WebTitan Cloud is used to control access to the Internet. Categories of websites can be blocked such as torrents/warez sites, along with other risky websites that serve no work purposes. URLs and domains that are known to be malicious are blocked automatically. WebTitan is constantly updated with new malicious websites as soon as they are discovered. WebTitan Cloud can also be configured to block certain file downloads from the Internet, such as executable files that are used to install software (.msi, .iso etc) to control shadow IT along with other executable files that are often used for malware installation (.js, .exe, etc).
WebTitan Cloud is easy to implement and requires no additional hardware, configuration is very straightforward, and this is a low-cost solution that will provide excellent protection against web-based threats. For more information on WebTitan Cloud or to arrange a product demonstration, give the TitanHQ team a call. WebTitan Cloud is also available on a free trial to let you put the solution to the test before deciding on a purchase.
Jun 1, 2023 | Security Awareness Training
Cyberattacks on businesses have been increasing at an astonishing rate and attacks are becoming much more sophisticated. A successful attack can cause long-lasting problems for businesses due to the reputational damage caused, especially when sensitive customer data is stolen. Customers will be lost and may never return and lawsuits following successful cyberattacks are increasingly likely. That is on top of the disruption to business while remediating an attack and the potential for permanent loss of data.
Many businesses invest considerable money into technical cybersecurity measures and while these are important and will block many attacks, some will bypass those defenses and will reach employees. Employees are an important line of defense and they should not be neglected. Education of the workforce on security best practices and the threats they may encounter can be the difference between a thwarted attack and an extremely damaging data breach.
An increasing number of businesses are recognizing that security awareness training for employees is a good investment and can significantly improve their security posture, but simply providing a training course to employees may not provide the expected benefits. You must make sure the training is effective to get a good return on your investment.
Security awareness training is important because cybercriminals usually target an organization’s employees. The Verizon Data Breach Investigation Report suggests 82% of data breaches involve the human element, which includes responses to phishing emails, misconfigurations, and other mistakes that can open the door to hackers. Through security awareness training, bad security practices can be reduced and employees can be trained to be more security aware and taught how to identify the telltale signs of phishing emails and other types of cyberattacks.
Security Awareness Training Tips to Make Training More Effective
Many security awareness training programs are not as effective as they should be, so to get the best bang for your buck you should consider the following.
Create a baseline against which progress can be measured
If you have yet to start providing security awareness training, make sure you create a baseline against which you can measure the success of the training program and ensure you continue to record metrics that allow you to measure progress. Keep records of training, who has completed each module, test results, the number of security incidents that you experience, and phishing simulation metrics.
Provide ongoing training
Security awareness training should be provided to all new hires as part of the onboarding process but don’t stop there. Even an annual training session is not sufficient. Training needs to be an ongoing process provided throughout the year. Only through continuous training are you likely to develop a security culture and be able to keep employees up to date on the latest threats.
Tailor the training to individuals
A one-size-fits-all training course is unlikely to be effective. Your workforce will consist of people that learn in different ways and have different levels of understanding about security, so your training content should reflect that. Staff members well versed in security will likely get bored by basic courses, and make them too advanced too quickly and people will get left behind. You should also provide training based on the threats employees will likely encounter – Those threats will be different for different roles.
Use a professional training course
You can develop a training course from scratch, but it will require a lot of effort to make sure it is effective for all employees, and then ensure it is kept up to date with the latest threat intelligence. You will likely have far greater success if you use a training solution provided by a cybersecurity company that has put the time and effort into making quality, engaging, fun, and gamified content, regularly updates that content, and provides a platform that allows training to be largely automated.
Ensure the training is engaging
Try to avoid classroom sessions where you explain threats and teach best practices. Also ensure that training is provided in manageable chunks that can be easily assimilated. Training should be engaging, interactive, and enjoyable, and should include a mix of training materials, including multimedia content, quizzes, and exercises.
Conduct phishing simulations
Ensure that the training process includes phishing simulations. These will allow you to measure how effective the training is and how people improve over time. Phishing simulations allow you to test to see whether training is being applied in the workplace and will identify individuals who require further training. Phishing simulations give employees practice at identifying phishing attempts and prepare them properly for real threats.
Provide training to everyone
Anyone can encounter a threat, and the CEO and board members are often targeted by cybercriminals as they have access to the most valuable data. Providing training to all will also help with the development of a security culture and employees are more likely to take training seriously if they know that everyone in the company must go through the same training process.
Security Awareness Training and Phishing Simulations from TitanHQ
TitanHQ has developed a comprehensive security awareness training program called SafeTian to help organizations develop a security culture and change employee behavior. The platform includes an extensive library of training content, split into small modules that are easy to fit into busy workflows. The content is interactive, gamified, and engaging to improve knowledge retention and allows training to be tailored to different abilities and roles.
The platform also includes a phishing simulation platform for ongoing testing against specific phishing threats, and the platform will automatically deliver training in real-time in response to security mistakes by employees, ensuring training is provided where it is needed most at the time when it is most likely to be effective.
For more information about improving security awareness through SafeTitan, give the TitanHQ team a call and take a big first step toward creating a security culture in your organization.
Apr 30, 2023 | Cybersecurity Advice, Internet Security News, Security Awareness Training
There has been a notable increase in search engine poisoning for distributing malware. Search engine poisoning is the term given to the manipulation of search engine results to display links to malicious websites. These websites can be used to phish for sensitive information, but this technique is most commonly used for distributing malware.
Search engine poisoning can be achieved in different ways. One of the ways search engine poisoning is used to target businesses is to create a webpage and use search engine optimization techniques to target specific search queries. It can take a lot of time an effort to get webpages appearing in the organic search results for key search terms, but since the queries typically targeted have little competition, it is quite easy to get pages appearing high up in the organic search engine listings. Attackers typically target low volume business search queries, such as searches for contract templates, forms, and agreements. Since the person performing the search is looking to download the content, they can easily be tricked into downloading a malicious file. Oftentimes the user will get the file they are looking for but will silently install malware when the file is opened.
Google is well aware that the higher up a webpage is in the search results, the more likely it will be visited. The prime spots are at the very top of the search engine results, and that area is reserved for sponsored links. Getting a malicious site in these links will maximize the traffic to a website, and advertisers compete for these advertising slots through the Google Ads online advertising platform. Advertisers can bid for these slots for key search terms that they want to target.
Google Ads are increasingly being used by malicious actors as an alternative method of search engine poisoning, and they achieve the greatest success when they target popular software downloads. An attacker will create a website advertising a popular software solution, often cloning the website of a legitimate brand. They will offer a download of that software on the site but will alter the installation file so that in addition to installing the software, malicious code will be executed silently which will install malware.
The domain names used closely mirror those used by the legitimate brand, and typically include the brand name with additional characters or words to make it appear that the domain is official. The file downloads are usually signed with invalid certificates, and while invalid, have been issued to recognizable brands. If the warning signs are ignored and the installation file is executed, malware will be installed.
The key to defending against these attacks is to prevent these malicious files from being downloaded, and ideally, prevent users from visiting the malicious websites. The early stages of the attack can be blocked with an ad blocker or web filter. A web filter can be configured to prevent a user from visiting the malicious website, whereas an ad blocker will only block the adverts and will not block search engine poisoning in the organic listings. A web filter can also be configured to block downloads of certain file types, such as executable files. In addition to blocking search engine poisoning, preventing downloads of executable files will help IT teams to control shadow IT – unauthorized software installations.
These methods of malware distribution should also be covered in security awareness training. Businesses should teach their employees security best practices and make them aware of risks such as phishing and email-based attacks, and search engine poisoning and other web-based attacks. Security awareness training adds an important layer of protection and helps to improve human defenses, which is vital as the majority of cyberattacks are the result of human error.
TitanHQ can help improve security through its portfolio of cybersecurity solutions which include SpamTitan Email Security, WebTitan Web Filtering, and the SafeTitan Security Awareness Training and Phishing Simulation platform. For more information, to arrange a product demonstration, or to register for a free trial with full product support, give the TitanHQ team a call today.
Mar 31, 2023 | Internet Security News
Identifying phishing attempts used to be fairly straightforward for end users. The messages often contain grammatical errors and spelling mistakes that had been inadvertently included in the messages. Phishing campaigns are often conducted by individuals who do not speak English as a first language, so errors will inevitably be made and it is those errors that make it fairly easy for people to spot a phishing attempt.
Those errors may soon become a thing of the past thanks to artificial intelligence tools such as ChatGPT. ChatGPT and other large language model AI tools can be used to create perfect English (or other languages) and therefore convincing text for use in phishing and social engineering attacks. Evidence is growing that these tools are being adopted by malicious actors to create phishing content that is indistinguishable from the content that a human could create, and in many cases, it is even better.
Europol has recently issued an alert about the malicious use of these AI tools for phishing and warned that the problem is likely to get worse. It is not just a case of being able to draft a grammatically correct email devoid of spelling mistakes, but that these AI chatbots can write emails in whatever style the threat actor wants, including in an authoritative tone as one would expect from an official government communication.
The biggest threat is likely to be highly targeted emails – spear phishing. Spear phishing has a far higher success rate than standard phishing attempts, as emails are carefully crafted to attack a very small number of individuals. That requires considerable research to ensure that the scam is convincing and the email will likely be opened and the request followed. The ability of AI tools to create spear phishing emails should not be underestimated. The messages these tools can generate can be exactly what a threat actor needs and the process can be largely automated, which means a higher success rate and more attacks.
These tools are significantly lowering the barrier of entry for conducting phishing attacks, and while there are restrictions in place to prevent the malicious use of these AI tools, they are being bypassed. You can ask ChatGPT to write a phishing email but it won’t, but you can create the phishing content if you are not so direct. The cybersecurity firm Darktrace says it has found evidence of phishing emails increasingly being written by chatbots, and not only does that make it easier for cybercriminals to create convincing messages, they also allow much longer messages to be created than was previously possible. The company reports that phishing email volume is down, which it suggests could be due to threat actors being able to write better, more linguistically complex emails and opt for quality over quantity. Chatbots have also been used to write malicious scripts that could be used as ransomware or for information-stealing malware. Researchers have created examples of both using the engine that powers ChatGPT. Europol paints “a grim outlook” as phishing emails will become a lot harder for people to identify. Tools have been developed that are capable of detecting AI-written content but they are not reliable and as AI chatbots become more advanced, these tools will likely become even more unreliable.
So while the outlook may not be too good, the advances in AI technology mean businesses will need to up their game and that means ensuring that they provide security awareness training to the workforce and keep them abreast of the changing tactics used by threat actors. Training should also emphasize that employees should not implicitly trust any communication and should assume that it might be a scam. Training should cover security best practices and businesses will need to improve their technical defenses and implement further solutions to identify and block the various stages of a phishing attempt, such as advanced spam filtering (SpamTitan includes an AI-based component for detecting phishing attempts), a web filter, multi-factor authentication and to ensure that patches are applied promptly and all software is kept up to date.
